Hackers were pretending to be Coinbase and used well-crafted phishing pages to steal people’s cryptocurrency hauls, according to a report from cybersecurity researchers Group-IB.
As per the report, between November 2022 and 2023, an unnamed group of hackers operated a malware-as-a-service, called Inferno Drainer.
As the name suggests, this type of malware is capable of draining all of the funds found in people’s cryptocurrency wallets, including both fungible and non-fungible tokens (NFT). Other threat actors would use the drainer, and give 20% of all the profits to the operators.
For the drainer to work, a victim must connect their wallet with the attackers’ infrastructure. That was achieved via convincing landing pages. Group-IB said it found more than 16,000 unique domains linked to the Inferno Drainer’s phishing operation. At least 100 different crypto brands were impersonated during that time. It is unknown how many different groups participated in the campaign. What we do know is that most victims who ended up on the landing pages were connecting their wallets thinking they would receive an airdrop.
An airdrop, in the cryptocurrency world, happens when a new project starts, and the developers look to add tokens into circulation. Usually, they would use the promise of an airdrop to create a community and generate buzz around the project, as people interested in receiving the airdrop would be tasked with certain things (for example, sharing Twitter posts, engaging in Discord communications, writing blogs, etc.).
However, instead of receiving the airdrop, once the victims connect their wallets and approve the transactions, the drainer would simply pull all of the funds from the accounts, and given blockchain’s nature, the funds would be lost for good. Group-IB believes that more than 130,000 people fell victim to the campaign, which netted its operators more than $80 million.
Inferno Drainer was allegedly shut down in November 2023, but the user panel was still active as of mid-January this year.